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We consider the cryptographic task of bit-string generation. This is a generalisation of coin tossing 
in which two mistrustful parties wish to generate a string of random bits such that an honest party 
can be sure that the other cannot have biased the string too much. We consider a quantum protocol 
for this task, originally introduced in Phys. Rev. A 69, 022322 (2004), that is feasible with present 
day technology. We introduce security conditions based on the average bias of the bits and the 
Shannon entropy of the string. For each, we prove rigorous security bounds for this protocol in 
both noiseless and noisy conditions under the most general attacks allowed by quantum mechanics. 
Roughly speaking, in the absence of noise, a cheater can only bias significantly a vanishing fraction 
of the bits, whereas in the presence of noise, a cheater can bias a constant fraction, with this 
fraction depending quantitatively on the level of noise. We also discuss classical protocols for the 
same task, deriving upper bounds on how well a classical protocol can perform. This enables 
the determination of how much noise the quantum protocol can tolerate while still outperforming 
classical protocols. We raise several conjectures concerning both quantum and classical possibilities 
for large n cryptography. An experiment corresponding to the scheme analysed in this paper has 
been performed and is reported elsewhere. 

PACS numbers: 03.67.-a 03.67.Dd 



Coin tossing is a cryptographic primitive introduced by Blum \l\ , in which two parties who do not trust one another 
want to agree on a random bit. An honest party must be sure that the other party cannot have biased the bit if 
they cheated. Such protocols can be divided into two classes, according to whether the parties know or do not know 
beforehand which value of the coin the other party desires. These are known respectively as weak and strong coin 
tossing. Classically, these tasks can be achieved if assumptions are made that limit the computational power of a 
dishonest party Q , or if relativistic signalling constraints are used Q • They can also be implemented using a trusted 
source of noise or a trusted third party. Without such assumptions, however, one of the parties can always fix the 
value of the coin with certainty if he or she cheats. 

If the parties can use quantum communication, then non-trivial protocols exist with security guaranteed by the 
laws of quantum mechanics. In the case of strong coin tossing, this was first shown by Aharonov et al. yL The best 
strong coin tossing protocol to date is due to Ambainis Q , and independently to Spekkens and Rudolph[j| ; the bias 
achieved is 1/4. Weak coin tossing was first considered by Goldenberg et al. in the context of quantum gambling |(J, 



and was subsequently generalised by Spekkens and Rudolph [7J. On the other hand, it was first shown by Lo and 
Chau that coin tossing (weak or strong) with perfect security is not possible jg ■ Subsequently, a lower bound on the 
achievable bias for strong coin tossing was proven by Kitaev [j| . No further bounds on weak coin tossing are known, 
although it is known that the smaller the bias the more rounds of communication are required Q. 

Coin tossing is often introduced via an example of two parties who have divorced and want to decide who gets the 
car. Its real importance, however, lies in the fact that it is a useful primitive for the construction of more general 
cryptographic protocols. Blum, in his original work notes that in the classical context, coin tossing can be used to 
implement mental poker and certified mail. More recently, Kent has suggested that by building on secure coin tosses, 
it may be possible to construct quantum "classically certified bit commitment" (hence oblivious transfer and general 
secure multi-party computation), with security based on the hardness of an NP-complete problem |10| . A scheme 
with this type of security, it is widely conjectured, would be secure against any polynomial-time quantum attack. 

When many coins are being tossed, rather than a single one, we call this "bit-string generation" . Most applications 
will clearly involve bit-string generation, rather than a single coin toss. It may seem as if the question of whether 
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bit-string generation can be made secure should reduce trivially to the question of whether single-shot coin tossing 
can be secure. In general, however, the security of large n cryptography does not reduce simply to the security of 
the single-shot case. For example, it may be possible to attain a certain level of security for the entire string, even 
though individual bits of the string are not secure. This was pointed out by Kent, in the context of quantum bit-string 
commitment |Tlj . Kent has also discussed bit-string generation |l2f |. He introduces a quantum protocol for bit-string 
generation and argues that his protocol gives good security in the case of no noise and large n, although does not 
provide a detailed analysis. 

A different protocol for bit-string generation was introduced in Ref. , which has the advantage of being feasible 
with present day technology. A security analysis was given that applies in the realistic case that the quantum channel 
separating the two parties is noisy. The analysis, however, had two drawbacks: first, the security condition adopted, 
the so-called average bias condition, is not very restrictive, and second , on ly a limited class of attacks (individual 
attacks) were considered. In this work, we build on the results of Ref. 13]. We introduce a new, stronger security 
condition based on the Shannon entropy of the string. Using both the average bias condition and the Shannon entropy 
condition, we consider the security of the protocol in the absence and in the presence of noise, under the most general 
attacks allowed by quantum mechanics. We give rigorous proofs that in the absence of noise, the protocol has good 
security, where roughly speaking this means that a cheater can only fix the values of a vanishing fraction of the coins. 
In the presence of noise, the protocol is partially secure, with the level of security depending quantitatively on the 
level of noise. 

Noise can of course be counteracted using quantum error correction codes or entanglement distillation, and in 
principle be reduced to an arbitrarily low level. Nonetheless there are at least two good reasons for including noise in 
the analysis. One is that cheating strategies are in general indistinguishable from noise in the communication channel 
(as far as the honest party is concerned), and it is therefore very natural to carry out the theoretical analysis in 
this case, rather than in the noiseless case. Another reason is that we wish our results to apply to the present day 
experimental situation, which does not allow for the reliable implementation of quantum error correction codes or 
entanglement distillation. 

The ultimate measure of success for a quantum cryptographic protocol must be whether the protocol gives security 
that is adequate for use in a real practical situation. The level of security required will determine the degree of noise 
that can be tolerated, and will obviously depend on the circumstances. It is possible that technological improvements 
will be required before this level can be reached. In the meantime, a useful figure of merit is whether the quantum 
protocol is achieving a level of security that cannot be obtained classically. Thus it is important to contrast classical 
protocols for the same task. With this motivation, we shall also discuss purely classical protocols for bit-string 
generation, under various security conditions. We derive some bounds on how well classical protocols can perform. 
We also give an interesting example of how the problem of the best classical protocol is not always trivial. 

Using these classical bounds, it is possible to show that our quantum protocol, if implemented with present day 
technology, can achieve a level of security that is impossible classically. We report elsewhere 0] an experimental 
realisation of quantum bit-string generation, based on the protocol and security analysis presented here. We note that 
another experiment realising quantum coin tossing has recently been reported fl5| . This experiment is an impressive 
achievement from the point of view of physics (for example, it is one of the first to realise individual control over 
quantum qutrits). In contrast with the experiment of Ref. 14], however, the security analysis is incomplete; in fact, 
it is not clear that anything classically impossible has been achieved. 

We shall begin in Sec. [n] by defining the task of bit-string generation, along with some precise security conditions. 
In Sec. 1 1 1 1 1 we investigate classical protocols for bit-string generation, proving some bounds on the level of security 
that can be achieved. In Sec. IIVI we introduce our quantum protocol and discuss briefly the most general attacks 
available to a dishonest party, before presenting our main results in Sec. [V] The proofs of these results are given in 
Sec. I VII Finally, Sec. IVIll contains some further discussion. 

II. SECURITY CONDITIONS 

In this work, we do not assume any restrictions on the computational power of an adversary. Neither arc there any 
trusted sources of noise or third parties. We assume a non-relativistic scenario (this means that there is no way of 
ensuring a simultaneous exchange of messages, thus a protocol can only involve a sequential exchange). Two parties, 
Alice and Bob, are assumed to occupy separated laboratories. A dishonest party is assumed to have control over 
everything outside the honest party's laboratory. In the quantum case, we are interested in unconditional security, 
meaning that a dishonest party is limited only by the laws of quantum mechanics. In the classical case, we are 
interested in information theoretic security. 

A coin tossing or bit-string generation protocol consists of a sequence of rounds of communication between Alice 
and Bob. In the quantum case, the communication may of course be quantum, and local operations such as adding 
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ancillas or performing measurements ma y be carried out at any stage. For precise security conditions for single-shot 
coin tossing, we refer the reader to Ref. ^j- Here we consider only bit-string generation. Thus consider a protocol 
in which two mistrustful parties, Alice and Bob, want to toss n coins. When the protocol terminates, Alice either 
outputs an n-bit string x, or she is deemed to have aborted the protocol, in which case we write x =_L. Similarly, 
Bob either outputs an n-bit string y, or aborts, in which case y =_L Roughly speaking, a good protocol should 
ensure that a cheating Alice cannot bias Bob's output too much and vice versa. We emphasise that throughout this 
work, we are interested in two-party protocols, meaning that Alice and Bob are mistrustful and it is they who may 
be dishonest. We are not concerned with the possibility of dishonest third parties or eavesdropping, and there is no 
requirement of secrecy. 

In the ideal case, we should demand that when both parties are honest, the protocol never aborts, x = y, and the 
coins are all fair. We express this as 

Vce{0,l}" P HAHB (x = y = c) =2"™, (1) 

where Ha, Hb denote the honest strategies of Alice and Bob. In any real implementation there will be some finite 
noise level, and so this condition will not hold exactly since, due to the noise, there will be a small chance of aborting 
even when both parties are honest. We replace this condition, therefore, with a slightly weaker one. We say that a 
protocol is correct if 

Vce{0,l}» i^<P^( x = y = c)<i±^, (2) 

where we demand that S n tends to zero as n (or indeed some other parameter of the protocol) increases. 

It is possible to think of many different measures of the security of a bit-string generation protocol. Here, we focus 
on three main types of security. 

Average Bias. We denote by Sa and Sb arbitrary strategies of Alice and Bob. Then we define the average bias 
for each by 



1 1 " 

-+e A = max - V P SaHb ( w = a), (3) 

2 — 1 

1 1 n 

-+e B = max - V Y HaSb fa = a), (4) 

2 s B: ce{o,i}" n 

where x$ is the zth bit of x and j/j the zth bit of y. 

Shannon Entropy The average bias is a simple measure of security but it is not very satisfactory. Consider, for 
example, the case in which Alice can cheat so that Bob's output is either the string composed of all zeros or the string 
composed of all ones, with equal probabilities: P(y = 0") = P(y = 1") = 1/2. The average bias ca is zero, although 
the security is clearly very bad. 

For this reason we introduce another security condition based on the Shannon entropy of the string. For the 
purposes of this condition it is convenient to assume that an honest party never aborts. If, for example, Bob gains 
evidence that Alice is cheating, and the protocol stipulates that he should abort, we assume instead that he chooses 
an n-bit string randomly and independently from the rest of the protocol, and outputs that. Similarly Alice. The 
protocol should ensure that a cheating party cannot reduce the entropy of the other party's output too much. |22| 

We define [H 

H A = mintf(P^> ffB (y)) , (5) 

Sa 

H b = mini/ (P ffA ' Sfi (x)) , (6) 

Sb 

where H is the usual Shannon entropy of a probability distribution, i.e., 

ff(P(x)) = -^P(x)logP(x). (7) 

x 

(Here and throughout this work, log denotes a logarithm of base 2.) 

Now we say that a bit-string generation protocol is arbitrarily secure if n — Ha — > and n — Hb — * as n — ► oo. 
Similarly, it is relatively secure if (n — Ha) In —> and (n — Hs)/n — > as n — > oo. Roughly speaking, this means 
that a cheater may be able to fix the values of some of the coins, but that the fraction of coins thus affected must 
become small as n increases. It is partially secure if Ha, Hb > 0. Our main results will be that our quantum protocol 
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is relatively secure in the absence of noise and partially secure in the presence of noise, with security depending 
quantitatively on the amount of noise. 

Min-entropy. Finally, we introduce a security condition based on the maximal probability of occurrence of a 
string (referred to as the min-entropy condition) 

c), 
c). 

For the purposes of this condition, we again allow honest parties to abort. 

We will not discuss the min-entropy condition in much detail in this work, because the quantum protocol we study 
does not give good security with respect to this condition. In principle, one could define arbitrary, relative, and 
partial security in terms of the min-entropy condition, in a manner precisely analogous to their definition in terms 
of the Shannon entropy. It turns out, however, that even in the absence of noise the protocol is not then relatively 
secure. This should be contrasted with the other security conditions we defined above for which we show that good 
security can be achieved in the absence of noise. We note that the bit-string generation protocol due to Kent 0] 
does not achieve relative security with respect to the min-entropy condition either, and conjecture that no quantum 
protocol can do so. We have introduced the min-entropy here because we are able to prove a bound on the achievable 
min-entropy by any classical protocol. 

From the above security conditions, we can see that the relationship between coin tossing and bit-string generation 
is not trivial. A good protocol for coin tossing, for example, does not necessarily imply a good protocol for bit-string 
generation. A perfectly secure coin tossing protocol that is simply repeated many times will result in a bit-string 
generation protocol that satisfies our average bias condition above, with ca = £b = 0. But it will not necessarily be 
arbitrarily or relatively secure unless the coin tossing protocol is composable. If it is a quantum protocol, one would 
have to consider the possibility that it is not composable because a cheater can entangle separate runs. A bit-string 
generation protocol that is arbitrarily secure does imply a coin tossing protocol - simply take the first bit of the string. 
However, a bit-string generation protocol that is relatively secure need not. From this, and Kitaev's lower bound for 
quantum coin tossing, we can conclude that quantum bit-string generation with arbitrary security is not possible. In 
this work, we therefore consider mainly relative security (for the noiseless case) and partial security (for the noisy 
case). 

III. CLASSICAL BIT-STRING GENERATION 

As stated above, classical coin tossing (both weak and strong) is impossible with information theoretic security. It 
turns out that at least one party can fix the outcome with certainty (for a proof, see, e.g., Theorem 2 of Ref. 0]). 
There is, however, a trivial protocol for bit-string generation that achieves partial security: assuming even n, Alice 
tosses half of the coins herself, and sends the results to Bob, who then tosses the other half and sends the results to 
Alice. In this section we show that this trivial protocol is optimal among classical protocols, both with respect to 
average bias and with respect to min-entropy. Then we discuss classical protocols and the Shannon entropy condition. 

Theorem 1 For any conceivable classical protocol, 

(A + e B > 1/2. 

The trivial protocol saturates this bound. 

Proof The theorem follows directly from the impossibility of classical single-shot coin tossing, since for each i, at 
least one of P SaHb (y,j = a) and P HaSb (xi = Ci) can be made equal to 1 or by a cheater. □ 
We can also prove a bound on the classically achievable min-entropy: 

Theorem 2 For any conceivable classical protocol, 

mm[H^,H^] < n/2. 
It is clear that the trivial protocol saturates this bound. 

Proof In this case, a proof follows from what is essentially Theorem 1 of Ref. but generalised to the case of 
bit-string generation. For completeness, we include the generalised version of the proof here. The presentation is very 
similar to that of Ref. . 



HT = -log 2 max P s ^ fl Wy = 

Sa,c6{0,1}" 

H% = -log 2 max P HaSb (x = 
s B ,ce{o,i}" 
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Assume that a classical protocol involves k rounds of communication '2M ■ Let U denote the state of the protocol at 
any given moment. Thus U contains a specification of all communications sent by Alice and Bob up to that particular 
point. We define w(U) to be the probability of state U occuring during an honest execution of the protocol. We 
define two other functions of U. Let 

Z*(U) = max P(x = c| state is U), 

Sb 

where the maximum is over all strategies that Bob can employ from the point U onwards. Similarly, 

Zf(U) = max P(y = c| state is U). 

Sa 

Finally, let 

F 3 = £ w{U)Z*(U)Z*(U), 
ueu 3 

where Uj is the set of those U that specify a state of the protocol after j rounds of communication. It is not too 
difficult to show that Fj > Fj + \. This allows us to conclude that 

max [P s ^*(y - c)] x ma X [P^^(x = c)] - Zf(U ) Z?(U ) = F > F k = P^-(x - y - c) - 1/(2"), (8) 

Sa Sb 

where Uq is the state of the protocol before the first communication. This gives us Theorem [21 □ 

These two results show that there are rather strong limitations on what classical protocols can achieve. Theorem ^ 
is particularly useful as it enables us to determine precisely for what levels of noise our quantum protocol beats this 
bound, and thus for what levels of noise something classically impossible is being achieved. 

Finally, it may appear from the above that there are no interesting classical possibilities beyond the trivial protocol. 
We conclude this section with a diverting counterexample: if we adopt our security criterion based on Shannon entropy, 
then there are classical protocols that outperform the trivial protocol, at least for finite n. It is clear that the trivial 
protocol gives Ha,Hb = n/2. Now consider the following. Alice sends a communication to Bob that specifies a 
particular n-bit string. This string will not be the outcome of the protocol. Bob then sends a communication to 
Alice that rules out another bit-string. This continues until all bit-strings have been ruled out except one, which is 
the outcome of the protocol. It can be shown that in the case of four bits (sixteen strings), we have Ha ~ 2.39 > 2 
and Hb ~ 2.78 > 2. Thus we have improved on the trivial protocol both from the point of view of cheating Alice 
and cheating Bob. The bounds above, however, must apply, so this protocol does not improve on the trivial protocol 
with respect to average bias or min-entropy. Interestingly, numerical investigations indicate that for this protocol, 
(n — HA)/n and (n — Hb)/tl — > 1/2 as n — ► oo. If correct, this means that the advantage disappears in the large n 
limit. 

A bound on the achievable Ha and Hb by any classical protocol would be useful. Combined with our results on 
Shannon entropy for our quantum protocol below, it would enable us to determine for what noise levels the quantum 
protocol is outperforming all classical protocols with respect to this condition. Our results for the protocol described in 
the last paragraph lead us to conjecture that, with respect to Shannon entropy, no classical protocol outperforms the 
trivial protocol in the large n limit (more precisely, we conjecture that for any classical protocol, Ha + H& < n + o(n), 
where o(n) denotes a term such that o(n)/n — > as n — > oo). As things stand, however, one can at least use our 
results for the average bias condition to determine a rigorous quantum-classical separation. This was our main reason 
for including these results. 

IV. A QUANTUM BIT-STRING GENERATION PROTOCOL 

A. The protocol 

We now describe the quantum protocol for which we will prove security bounds. 

Protocol 1: Denote by n the length of the bit-string to be generated. Let |^o) and \ipx) be two non-orthogonal 
quantum states with K^olV'i)! 2 = cos2 &■ Li general, 6 may be fixed or may be a function of n. However, both n and 
9 are fixed before the commencement of the protocol. Fix also < /* < 1. 

1. For i = 1 to n 
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(a) Alice chooses a random bit a% € {0, 1}. She prepares the quantum state \ip ai ). She sends \ip ai ) to Bob. 

(b) Bob chooses a random bit bi G {0, 1}. Bob reveals bi to Alice. 

(c) Alice reveals a* to Bob. 

(d) Bob measures the state sent to him by Alice using a two outcome von Neumann measurement which either 
projects onto \tp ai }(tp ai |> or onto the orthogonal subspace /— |^ ai )(^> 0i |. If the outcome of the measurement 
corresponds to l^/'aiXV'a; L then /; = 1; if the outcome of the measurement corresponds to the orthogonal 
subspace then fi = 0. 

2. Next i 

3. Alice outputs x, where Xi = ai®bi. 

4. If Y^i=i fi — n f* ■> then Bob outputs y, where yi = ® bi. 

5. If J2i=i fi < n f* then Bob aborts and y =_L. 

We specify in addition that an honest party should always abort if it is clear that the other party has failed to 
follow their part of the protocol, e.g., if an expected classical bit never arrives. 

In the absence of noise, the constant /* in Protocol 1 can be taken to be equal to 1. In the presence of noise, however, 
even if Alice and Bob are both honest, there is a finite probability that Bob's measurement will fail (and therefore 
that fi = 0). This means that if /* = 1, then the probability that the protocol does not abort is exponentially small, 
and the protocol is not correct. As we argue below, however, by choosing /* sufficiently small, we have that S n in 
Eq. J2J tends to zero exponentially fast as n tends to infinity. Thus correctness is satisfied. 

B. Cheating and noise 

One of the aims of this work is to consider how to carry out quantum bit-string generation in the presence of noise. 
Thus we shall consider the security of the above protocol, both in the absence and the presence of noise, under the most 
general attacks allowed by quantum mechanics. We suppose that the noise manifests itself as an imperfect quantum 
communication channel between Alice and Bob. Such a channel can always be modelled as — > S(\4>)(4>\), where 
\<p) (4>\ is an input to the channel and S is a completely positive trace-preserving map. One could also consider the effect 
of imperfections in Alice's and Bob's laboratories, such as finite detection efficiencies or imperfect state preparation 
procedures. We will not take these into account here, and refer to Ref. [l4| for this more general case. We shall always 
assume that classical channels are noiseless. 

In the presence of noise, we adopt the most pessimistic assumption, which is that a dishonest party can in principle 
replace the noisy communication channel by a perfect channel. Then, as long as the cheating is not excessive, it will 
not lead the other party to abort, since any errors induced will be indistinguishable from the expected noise. The 
situation is similar to that which arises in quantum key distribution, where the presence of noise is indistinguishable 
from the presence of an eavesdropper. 

The most general attack for a cheating Alice is to replace the noisy channel with a noiseless channel and then to 
prepare n + 1 systems in some joint, possibly entangled, state. Each round, she sends one system to Bob. After 
Bob sends bi, she performs a positive operator- valued (POV) measurement on the systems left in her possession, 
which in general may depend on the value of bi, and indeed on events in the previous rounds. The outcome of this 
measurement, along with previous events, will determine the value of a^. At any point, she may simply decide to stop 
following the protocol, thus causing Bob to abort, although we shall see below that this latter strategy cannot help. 

The most general attack for a cheating Bob is to replace the noisy channel with a noiseless channel, as desired, and 
then to measure each quantum state sent by Alice as soon as it arrives (i.e., before sending the bit bi). The bit bi 
may then depend on the outcome of this measurement. Clearly Bob can correlate his strategy over different rounds 
if he wishes, although, as we argue below, this will not be of use. Bob can also decide to stop following the protocol, 
thus causing Alice to abort, but again, this cannot help. 

V. RESULTS 

We state our main results in the form of a set of bounds that concern the security of Protocol 1 in both noisy and 
noiseless conditions. In this section, we give the results in a simple asymptotic form. Exact results can be found in 
the proofs below. 
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Theorem 3 Noiseless case. Set /* = 1 and sin 9 



(Inn) 1 / 6 ™- 1 / 6 . Then the protocol is correct and we have 

1/12 

-) 

n 



/ In n 

max{ e Al e B \ < O 



Alternatively, if we set /* = 1 and sin 2 9 = (Inn) 1 / 8 ?! 1 / 8 , we get 

rmn{H A ,H B } >n- 0((lnn) 



l/8„7/8 



(9) 



(10) 



T/ims £/ie protocol is relatively secure and is better than any classical protocol. 



Taking sinf? to be a decreasing function of n is the key to obtaining Eqs. and (|10|l . When sin# decreases it is 
harder and harder for Bob to cheat, since it is harder and harder for him to guess the state sent to him by Alice. 
On the hand it is easier and easier for Alice to cheat, since the states she must send Bob are more and more similar. 
There is an optimal rate of decrease of sin 9 which balances these two effects. 

Theorem 4 Noisy case. Fix f* such that it is smaller than the fidelity of the quantum channel \2,j ] . Fix 9 indepen- 
dently of n. Then the protocol is correct and we get 



H A > n 



H B > nh{ -(1 




— O(Vnlnn), 



(11) 
(12) 
(13) 
(14) 



where in the last line, h is the binary entropy function, h{p) = — plogp — (1 — p)log(l — p). The protocol is partially 
secure. For sufficiently low noise, we can set f* such that it is better than any classical protocol. 



VI. PROOFS 



A. Correctness Condition 



One easily checks that if both parties are honest, and if the protocol does not abort, then the coins are fair. If both 
parties are honest, and if the fidelity of the communication channel is /° > /*, then a standard result in probability 
theory implies that the probability that the protocol aborts decreases exponentially with n: 

(f° - f*) 2 

6 n <exp[-n U 2 J ' ]. (15) 

Hence the protocol is correct. 



B. Dishonest Bob 



In order to cheat, Bob measures on each round the state sent by Alice. He does this before announcing 6^. His aim 
is to guess correctly the value of e^, and then choose the value of bi so as to obtain the outcome for that particular 
coin that he wants. Recalling that a cheating Bob can replace the noisy channel with a perfect channel, his task is 
therefore to perform a measurement that distinguishes as well as possible the two non-orthogonal states \ipo) and IV'i)- 
A standard result in state estimation ^(| states that the probability that Bob guesses correctly is bounded by 

1 sin 9 

P(correct guess) < - H — . (16) 



When analysing the security with respect to a dishonest Alice, a big complication is that in principle, Alice can 
make her strategy at round i depend on what happened during the previous rounds. On the other hand, in the case of 
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Bob, correlating his strategy at one round with the strategy at previous rounds cannot help. This is because at each 
round the state sent by Alice is chosen at random, independently from the rest of the protocol. At each round, if Bob 
performs any measurement other than the optimal distinguishing measurement of Eq. then he is less likely to 

guess di correctly, and he will be less successful in biasing the string. This applies for each of the security conditions 
we defined. 

As we stated above, a further available strategy for a dishonest Bob is simply to play the protocol improperly, 
causing Alice to abort. He may do this at any time - for example he may do it near the end of the protocol if it seems 
that Alice's output string is not going to be to his liking. It is clear, however, that such a strategy cannot increase the 
average bias. If we recall that when using the Shannon entropy condition, we assume that Alice does not abort but 
instead outputs a random string, then it is also clear that this strategy cannot help Bob decrease the Shannon entropy 
of Alice's output. Thus we do not need to consider it in this case either (it was largely to avoid these complications 
that we adopted this convention). 

Eq. l|16f) . therefore, implies Eqs. (|12fl and (|14|) . With appropriate settings for 8, Eq. (|16l) . along with our results for 
Alice below, implies Eqs. © and fTD|) . 



C. Dishonest Alice: uncorrelated cheating 



In this section, we consider a single round of Protocol 1, and for simplicity of notation we drop the subscript i. 
Thus we denote by a the bit sent by Alice at step 4 of the protocol, by b the bit sent by Bob at step 3, by x and y 
Alice's and Bob's outputs, and by / the result of Bob's measurement. We denote by E(f) the expectation value of 
/, i.e., the probability that / = 1. We prove the following lemma. 

Lemma 1 For a single round of Protocol 1, if Bob is honest then for any strategy of Alice we have the constraint 

Vc S {0, 1} P s - H * (y = c) < min { ± + v ^ + x - - f f) , 1 1 = F(E{f)), (17) 

sin a 




where we define for future use T{y) — min if + y^ 1 . \ e + g^rg ; l|j which is a concave monotonically decreasing 
function for x € [0, 1] . 

Clearly this lemma tells us that the more Alice cheats on a particular round, the more likely Bob's test on that 
particular round is likely to be failed. 

Proof. Let us consider Alice's most general strategy for a single round. This consists in Alice preparing a (possibly 
mixed) state pab and sending the B subsystem to Bob via a noiseless channel. Denote Bob's reduced density matrix 
by pb- Alice waits until she receives Bob's bit b. If b — 0, she then performs a two outcome POV measurement Mo on 
subsystem A. Denote the two outcomes Moo and Mqi. Alice declares a = if she obtains outcome Afoo and declares 
a = 1 if she obtains outcome Mqi. If b — 1, she performs a POV measurement Mi with two outcomes Mio and M\\. 
Alice declares a = 1 if she obtains outcome M n and declares a = if she obtains outcome M 10 . Suppose that Bob's 
reduced density matrices, conditioned on Alice getting outcomes Moo, Moi, Mn, Mio, are a, a, r, f respectively, and 
denote by q (q') the probability of obtaining outcome M o (Mn) if Alice performs measurement M (Mi). Then we 
can write 

p B = qa + (1 - q)a = q'r + (1 - q')f . (18) 
The expected (unnormalised) density matrix if Alice declares a = is 

p = qa + (1 - q')f (19) 
and the expected (unnormalised) density matrix if Alice declares a = 1 is 

Pl = g'r + (1 - q)a . (20) 

The expected fidelity E(f) for this coin toss is 

E(f) = \((^o\pom + (^i\Pim). (2i) 

Let us now use the fact that there is an inherent symmetry in Protocol 1. Denote by Ub the unitary transformation 
such that Ub\iPo) = and Ub\^i) — |^>o)- Suppose that Alice prepares the state 1a <8> UbPabIa <8 U B , sends Bob 



9 



his part of this state, and carries out measurement Mi if b = (and Alice declares outcome a = if she gets outcome 
Mil and declares a = 1 if she gets outcome M 10 ), and measurement M if b = 1 (with the role of the outcomes 
similarly permuted). In this strategy q is replaced by q', a by UbtUq, etc. This strategy obviously gives Alice the 
same expected bias since Bob's bit b is random and initially unknown to Alice. 

Alice could also randomly choose between these two strategies. This will yield a symmetric strategy which will 
have the same expected bias as the original strategy. We can describe this symmetric strategy by the initial state 

i(|0)(0| ® pab + |1)(1| ® (U <8> U b )pab(U <8> Ul)) 

where the additional qubit is the coin Alice tosses to decide which strategy to use. Alice's measurement M now 
consists of the two elements |0)(0| ® M 00 + |1)(1| ® Mu and |0)(0| ® M 01 + |1)(1| <g> M 10 , and similarly for M x . For 
this symmetric strategy we can once more write Eqs. (|TH|) . <jl§j) . and ipOjl. but now we have the identities 

q = q' , (22) 

r = C/ B (7£4 , f = f/sat/jj , (23) 

which imply that 

(VoklVo) = (Vi|r|^i> , (VoklVo) = (V-i|r|Vi) ■ (24) 

In summary, Alice can use a symmetric strategy which does not decrease her expected bias, but for which the 
relations l|22(l and (|24|l are obeyed. With this simplification we have 

E(f) = (^olPol^o) - (^ilpil^i). (25) 

The proof of Eq. (|17|l now closely follows the steps of the proof of Theorem 1 in Ref. ,13j. First, from Eqs. I|19|) . I|22|) 
and H25f) we deduce that 



which in turn implies that 



and that 



9<Vok|Vo) + (1 - 5)(Vo|r|Vo) = E(f), (26) 



(^okl^o) > 1 ~ 1 Eif \ (27) 



(Vo|t|^o) > 1 - ^—p- ■ ( 28 ) 



Now we introduce the quantity D{p,p') — (l/2)Tr-\/ (p — p 1 )^ (p — p'), where this is the trace distance between states 
p and p'. We have that D(p, p') < y/T— F(p, p') for arbitrary states p and p' (for this relation and others used below, 
see, e.g., Ref. jl^, although note the slightly different definition of fidelity). This gives 



Using the same line of reasoning we can show that 



D(a,\fh))< J 1 E[f) , D{t^ ))<J 1 ^ . (29) 



DirM)^^ 1 E[f) , Pfol^i))< J 1 ^^ ■ (30) 

Now we project Eq. I|18|l onto P — |-0o)(V'o| to obtain 

qTr(Pa) + (1 - q)Tr{Pa) = gTr(Pr) + (1 - g)Tr(Pr) . (31) 
We bound each term in Eq. 1131 [I as follows: 

1. From Eq. J23, the first term is bounded by TrPcr >!-(!- E(f))/q. 
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2. To bound the second term we use Eq. Il.'jdll and the fact that D(p, p') = maxp \Tr(Pp) — Tr(P//)|, where the 
maximum is over all projection operators P, in order to obtain 



Tr(Pa) > Tr(P|^i)(V>i|) - Dfofr , a) > cos 2 6 - J 1 ^ ^ . (32) 



3. Similarly we get 



Tr(Pr) <Tr(P^i)(^i|) + P(^i,r) <cos 2 g+ J 1 E{f) . (33) 



4. Finally, Tr(Pr) < 1. 
Together these inequalities imply that 

(2q - 1) sin 2 < y/\-EU) (VQ + V^~v) + 1 - E(f), (34) 

which implies Eq. (|17|) . □ 

D. Dishonest Alice: bounds on average bias 

If Alice always uses the same strategy at each round of the protocol, then Eq. I|ll|) follows directly from Eq. H17fl . 
However, Alice need not follow the same strategy during all coin tosses. She can modify her strategy at round 
i depending on what happened during the previous rounds. In fact her most general strategy is to use quantum 
correlations: the quantum state she uses at round i can be entangled with the states she sent Bob during the previous 
rounds. In this section we will show that such correlated strategies can only help Alice marginally, and that the 
uncorrelated cheating strategy described in the previous section is essentially optimal. 

But can an entangled cheating strategy help Alice at all? In principle, yes. Indeed Alice does not know the 
outcome of Bob's measurement. By using states that are entangled over different rounds, Alice can obtain some 
information about Bob's measurement and use this information to modify her strategy during subsequent rounds. 
Analysing the effect of such entangled strategies seems very difficult. So our approach will be to modify the protocol 
in such a way that entanglement over rounds can no longer help. Then we analyse the security of the modified protocol. 



Protocol 2: The protocol is the same as Protocol 1, except that in step 5, Bob carries out a complete mea- 
surement on the state sent by Alice, i.e., he measures an orthonormal basis that includes \ip ai )- He then reveals the 
result of the measurement to Alice. 



For this protocol the amount by which Bob can cheat is unchanged. But Alice now knows everything that 
occurred at Bob's site. It is therefore easier for Alice to cheat in Protocol 2 than in Protocol 1. On the other 
hand, by carrying out a complete measurement and revealing the result of the measurement, Bob has destroyed all 
entanglement that could have existed between himself and Alice. Entanglement between rounds therefore cannot help 
Alice in this protocol. She can, however, use the information provided by Bob to correlate classically her strategy at 
round i with what happened during previous rounds. 

In what follows we analyse the security of Protocol 2 with respect to a cheating Alice. Let us recall that 

i + e A = max - V P SaHb ( Vi = a) 
Z Sa,c n £ — ' 

i 

= max - V P SaHb {at 8 h = a & - V U > /*), (35) 
Sa.c n ^ — ' n *■ — ' 

i i 

where we recall that fi = 1 if Bob finds outcome \ip ai ) when he carries out his measurement at step 5 of the protocol, 
and fi = otherwise. In the second line we have rewritten the average bias as the probability that Alice gets the 
outcome she wants at each round and that Bob does not abort at the end of the protocol. 

This leads us to define variables qi(c) £ {0, 1} that are equal to 1 if Cj = Oj © hi and equal to zero if a ^ a.i bi 
(independently of whether or not Bob aborts at the end of the protocol). We also define I pass as equal to 1 if Bob's 
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test is passed and otherwise. In terms of these variables we can rewrite Eq. (|35|l as 



- + e A = max 
2 S A ,c n 



- y)gi ) X ^pass ) • (36) 



= max E 

Sa.c 

In what follows we will obtain a lower bound on (1/rt) J2i P( a i ®bi— c.;) that depends on — ^ /j. From this bound 
we will immediately deduce a bound on 6a- 

In general Alice's strategy may depend on what happened during the previous rounds. Let us denote by hi all the 
events that occurred in round i. This includes the values of dj, 6j, the outcome of Bob's measurement in round i, and 
the outcomes of any probabilistic decisions made by Alice during round i. We abbreviate the sequence hi, . . . , hi-i 
by pasU. Thus we denote by E(qi\pasti) = P(qi = \\pasti) the probability that qi = 1 given what happened during 
previous rounds. We denote E(fi\pasti) = P(/i = \\pasti) the probability that Bob will find outcome \ipcn) when he 
carries out his measurement at step 5 of the protocol, given what happened during the previous rounds. 

The importance of the quantity E(fi\pasU) is that we can use Lemma ^ to relate it to ~E(qi\pasti) by: 

EiqilpasU) < ^(Eifilpasti)), (37) 

where T is defined in Lemma ^ 

In order to use this result to bound the average bias €a, we will use the theory of martingales p"s| ]. 

Definition. Consider random variables Si,...,S n , and Xi,...,X n , such that E(|Sj|) < oo for all i. The 
sequence Si , . . . , S n is a super-martingale with respect to the sequence Xi , . . . , X n if 

E(S i \X 1 ,...,X i - 1 )<S i -X' (38) 
If the inequality is replaced with equality, then the sequence Si, . . . , S n is a martingale with respect to Xi, . . . , X n . 

Hoeffding's inequality: Suppose that Si, . . . , S n is a super-martingale with respect to Xi, . . . , X n . Suppose also 
that P{\Si — Si-i\) < 1) = 1 for all i. Hoeffding's inequality states that for all / > 0, 

P [ max S K > l\/n) < exp(~l 2 /2), 

\l<K<n J 

i.e., the fluctuations of (super-)martingales cannot be much larger than those one expects for independent random 
variables. 

Now consider the variables Yi = — E(fi\pasti). The sequence Sk — Y]j—i Yji f° r K — l,---,n is a mar- 
tingale with respect to the sequence hi, . . . , h n . The conditions in Hoeffding's inequality are obeyed. Hence we have 
that for any strategy of Alice, 



-ihfi- E(fi\pasti) > —= ) < exp 



H72). (39) 

This expresses the fact that the actual results of Bob's measurements, given by fi, cannot differ much from their 
expected value given the past. 

The variables S' K — YlfLi Zi, where Zi = qi — J 7 (E(fi\pasti)) are a super-martingale with respect to hi, . . . , h n and 
also obey the conditions in Hoeffding's inequality, with Fi(Zi\pasti) < and —1 < Zi < +1. Hence 



P ( - -HWi\pasU)) > 4= J ^ ex P( 



-l 2 /2). (40) 



This expresses the fact that the average of Alice's results cannot exceed by much the average of the bounds given by 
Lemma ^ 

Concavity of T implies that 



n / n \ 

-V^(E(/i|j»sti)) < T -J^Eifilpastt) 

i=l \ i=l / 
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Inserting this in Eq. I|40|) yields 



p (kl^*- T uE E (/^)) + 7^) - exp 



H 2 /2). 



Using the union bound for Eqs. Ij39|l and (|41|l and the fact that T is a decreasing function, one has 



(41) 



P(-E?i>^f-E/i--7=] +^=&pass] <2expH 2 /2) 



+ -= & pass < 2exp(-Z 2 /2). 
in I \/n / 



We now denote the event that 



as J. We define Ij such that Ij = 1 if J occurs and otherwise, and Ij = 1 — Ij. We go back to Eq. I|36(l . which we 
write as 



- + e A = max 



x -^pass x 



< 2expHV2)+JF(r- — 1 +— . 



Taking /* = 1, sin 2 = (In n) 1 / 6 ^ 1 / 6 , and I = 0n~^ yields 



1 /lnn\ 1/12 /hm\ 1/J /inn 2 



1/3 



n \ n 



(42) 



(43) 



which, along with our results for Bob above, gives Eq. ©. On the other hand, if we take /* < 1, with fixed, and 
/ = vhTn, we get 



02 sin 2 sin 2 V n 



20! sin 2 00 - /* sin 2 



2 

01 ' 



(44) 



which gives Eq. (jllfl . 



E. Dishonest Alice: bounds on entropy 

Finally, we prove a lower bound on the entropy of Bob's output, which will give us Eqs. and (|10fl . In this 
section, we define the string c such that Ct = a,i 6j. We begin by defining the set S 1 , which is a subset of all possible 
strings c: 

s = | c : \ E E (/*l c i> ■ • • ' - r ~ 7^} • (45) 

The idea is that conditioned on passing Bob's test, the probability that c 6 5 is high, and that this can be used to 
bound the entropy of y conditioned on passing the test. On the other hand, if the test is failed, Bob will simply 
output a random string, so that the entropy conditioned on this event is also high (equal to n, in fact). 
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Eq. (EH reads 



P ( ~y>-E(/i|pa«ti) > 4= J <ex P (-/ 2 /2), 



which implies 

P(c e S & pass) < expH 2 /2), 
where S denotes the complement of 5*. Thus 

exp(-; 2 /2) 



P(c e S'lpass) > 1 



P(pass) 



(46) 



We shall use this below. 

We bound the probability of a particular string c, where c S S. Write 



P(c & pass) < P(c) = f[P(a\ci,...,Ci-i) 

i=l 
n 

=i 

■ n 

- V^(E(/ i |ci,...,c i _i)) 

77 Z J 



< 



< 



(47) 



where we have used the fact that n™=i Xi — (SlLi x i/ n ) n '■> an d the concavity of T. Now, if c G S, then using Eq. I|45|) 
we immediately deduce that 



This implies 



p(c) < [Ht-i/MT- 

P(c| P ass)< 



P(pass) 

Using the fact that if Bob's test is passed then y = c, we have 

#(P(y|pass)) = #(P(c|pass)) = - ^P(c| pass) log P(c| pass) 



(48) 



(49) 



> — ^ P(c|pass) logP(c|pass) 
ces 

TO* - l/y/n)Y 



> -P(c e S'lpass) log ■ 



P(pass) 



Using Eq. (JJSJl, we get 



Finally, 



A/(P(y|pass|| .• (l- C ^ ( ^ /2) )(--»K,vT;,r - /,'v77)] + loj-Plp^s)) 



^ (P(y)) > P(pass) J ff(P(y)|pass) + (1 - P(pass))ff(P(y)|abort) 



(50) 



(51) 



> P(pass) ( 1 - 



cxp(-/ 2 /2) 
P(pass) 



- nlogTO* - l/V*)] + logP(pass) ) + (1 - P(pass))n. (52) 
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Now, considering P(pass) as an independent variable in Eq. I|52|) . with < P(pass) < 1, it is easy to show that the 
right hand side is minimised if P(pass) = 1. (Note that we are only dealing with a lower bound, so this does not 
imply that Alice's best strategy will have P(pass) = 1.) We get 



H(P(y)) > -n logTO* - l/y/n)] (l - ex P H 2 /2)) 
Setting /* = !,£ = y/]nn and sin 2 9 = n _1/ ' 8 (lnn) 1 / 8 gives 



H(P(y)) > -nlog 



(Inn) 



1/4 



'In? 



2 \/2(sin 2 0)nV4 y^sm 2 9 



1 - 



(53) 



(54) 



which, along with our results for Bob above, gives Eq. (|10f) . On the other hand, if we set /* < 1, with constant 9 and 
/ = y/hxn, then we get 



H(P(y)) > -nlog 



2 V2sin 2 6» sin 2 9 



(55) 



which gives Eq. (|13fl . 



VII. FURTHER DISCUSSION 



In this section, we discuss a few further points of interest. 



A. Bit-string generation and bit-string commitment 



It is well known that there are relationships between the cryptographic tasks of coin tossing and bit commitment. 
Briefly, the idea in bit commitment is that Alice must commit a bit to Bob in such a manner that Bob cannot 
determine its value. At a later stage, Alice reveals the bit to Bob, and must not be able to reveal a value different 
from that which she committed. It is clear that a secure bit commitment implies secure (strong) coin tossing: Alice 
commits a bit to Bob, who guesses it's value, and Alice then reveals whether Bob was correct. The outcome of the coin 
toss is if Bob was correct and 1 otherwise. Bit commitment can obviously be generalised to bit-string commitment, 
and secure bit-string commitment will imply secure bit-string generation in a similar manner. 

It was originally discovered by Lo and Chau |l9j | , and independently by Mayers |2fij , that quantum bit commitment 
is not possible with arbitrary security. Kitaev's bound for quantum coin tossing provides an alternative proof of this 
fact. Spekkens and Rudolph have investigated partially secure quantum bit commitment [5j and Kent has introduced 
a scheme for quantum bit-string commitment with partial security |ll|. 

We note that our protocol cannot be regarded as a bit-string commitment scheme, due to its sequential nature. It 
may seem tempting to modify the protocol so that i) Alice sends \ip ai ), ■ ■ ■ , IVv) to Bob, ii) Bob sends b\, . . . , b n , and 
iii) Alice sends a\, . . . ,a„. This modified protocol is essentially a bit-string commitment protocol with a bit-string 
generation protocol built on top (the former being similar to Kent's protocols for quantum bit-string commitment). 

Unfortunately, however, in the modified protocol there are new cheating strategies for Alice. Alice may prepare an 
entangled state of n + 1 systems, keeping 1 and sending n to Bob. She then waits for bi, . . . , b n before performing 
a measurement on her system. The values of ai,...,a n may depend on the outcome of this measurement, and on 
the values of all of &i, . . . , b n . It can be shown that if Alice uses such a strategy, then even in the noiseless case, the 
protocol is not relatively secure (in the sense defined in Sec.[n]). In fact, the security is not significantly better than 
the trivial classical protocol of Sec. 1 1 i 1 1 Our notion of relative security can be adapted to bit-string commitment, 
and it follows that the associated bit-string commitment is not relatively secure either. These remarks apply equally 
to Kent's protocols for bit-string commitment (this does not contradict any of Kent's results, as his proofs involve 
weaker notions of security). We conjecture that no quantum bit-string commitment protocol with relative security 
exists. 



B. Improving the protocol 



In Protocol 1 as described, Bob is fairly restricted in that he only estimates the fidelity of the states sent by Alice, 
and aborts if this is too low. In realistic situations, however, Bob may have a good idea of what shape the noise should 
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have in the absence of cheating. For example, he may know that in the absence of cheating, the channel employed is a 
depolarising channel. In this case, Bob can perform quantum tomography on the states sent by Alice (separately for 
those rounds with Oj = and Oj = 1). Bob will abort if the states received are not close to the noisy versions of the 
states sent he is expecting. This will obviously restict possible cheating by Alice, as she must reproduce the actual 
noisy states expected by Bob and not merely something with equivalent fidelity. In Ref . [13j , the case was investigated 
in which Bob performs tomography, the channel is a depolarising channel, and Alice is restricted to individual attacks. 
The result, expressed in Theorem 2 of Ref. indicates that security against Alice in this case may be significantly 
improved. It may be, however, that the required tomographic measurements are practically difficult to perform in a 
given implementation. 

C. Classical post-processing 

In the case of quantum key distribution in the presence of noise, a potential eavesdropper may have partial knowledge 
of the raw key. In the absence of quantum error correction techniques, the honest parties may use classical privacy 
amplification of the raw key data in order to reduce the eavesdropper's knowledge. If the noise is not too great, then 
an arbitrarily secure key may be obtained in this way |2l|. In light of this, it is natural to ask whether some kind 
of classical post-processing could improve the security of the bit-string generated by our protocol, at the expense of 
reducing the length of the string. From Kitaev's bound, we know that arbitrary security will not be possible, but 
could a relatively secure string be generated from a partially secure string? Or the level of partial security improved? 

In fact, although we do not offer a proof, we are sceptical. Classical information processing in general offers rather 
limited possibilities for two mistrustful parties, as opposed to two honest parties trying to defeat an eavesdropper. It 
is easy to see that certain ideas, such as taking parities of subsets of the string, do not work. The essential problem is 
that if a classical post-processing scheme requires randomness, then a cheating party will be able to bias it. Generating 
randomness trusted by both parties is the problem of bit-string generation in the first place. 
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